One of the sample log is as follows :-
time="2020-02-12 13:45:37" user-name="abc12345@def-ghi-01.com" proto="HTTPS"
Now I want to extract the abc12345 from the raw logs user-name as "user_name". For doing that I have given the below regex in props.conf for that sourcetype
props.conf :-
EXTRACT-user = user-name=(?[^+@]*)@*\sproto=
Still the above regex doesn't worked on filtering the abc12345 under the user_name. I see the abc12345@def-ghi-01.com under the user_name field.
I want to exclude the @.....com and wanted to extract only the the username string prior to the @ sign.
Any help would be great.
Try this. You should test it out with rex first inline of your search to verify it works
user-name\=\"(?<user>[a-z1-9]+)
| rex user-name\=\"(?<user>[a-z1-9]+)
Hi
Try this
[your source type]
EXTRACT-username = ^(?:[^"\n]*"){3}(?P<username>[^@]+)
or
[your source type]
EXTRACT-username = user\-name\=\"(?P<username>[^@]+)
Try this (props.conf on your search head)
EXTRACT-user = user-name=\"(?<user_name>[^\@]+)
Thanks for the response @somesoni2 . I tried the regex but it's not working for some reason I don't understand why. I could be missing something since the regex seems good and it should work. It's just getting all the emails without skipping the @ part for some reason.
Try this. You should test it out with rex first inline of your search to verify it works
user-name\=\"(?<user>[a-z1-9]+)
| rex user-name\=\"(?<user>[a-z1-9]+)
thanks for the response @skoelpin It working for now but what if there are some non numeric or non alphabetic characters in the username. I think this regex wont work if an username has abc_123@xyz.com